How to Fix OpenSSL Verify Error: unable to get local issuer certificate (num=20)
Here’s a summary and experience on how to fix the “verify error:num=20:unable to get local issuer certificate” issue when working with SSL/TLS connections.
Problem Description:
When establishing an SSL/TLS connection using tools like OpenSSL (openssl s_client
) or libraries that rely on OpenSSL (), you may encounter the error message "verify error:num=20:unable to get local issuer certificate."
These verity commands are like “openssl s_client -connect login.microsoftonline.com:443”, “openssl s_client -servername login.microsoftonline.com -connect login.microsoftonline.com:443”, or “openssl s_client -connect google.com:443”.
This error indicates that the server’s certificate chain cannot be validated because the local issuer certificate is missing or not trusted.
Root Cause:
The root cause of this issue is usually a missing or outdated root CA certificate in the system’s trust store. The trust store contains a collection of trusted root CA certificates used to validate the authenticity of server certificates during SSL/TLS connections.
Solution Steps:
There are multiple potential solutions, like updating the CA certificates (“sudo yum update ca-certificates”) and verifying CA trust settings (“sudo update-ca-trust”). However, you may still get the same error when check the certificate chain. So try to follow these steps to fix the “unable to get local issuer certificate” issue:
Obtain a CA certificate bundle:
One option is to download a CA certificate bundle, such as the cacert.pem
file, which contains a collection of trusted root CA certificates. This bundle can be obtained from trusted sources, like the cURL website (https://curl.se/ca/cacert.pem
), or other certificate providers. Depending on your test machine, you can use “curl -o cacert.pem https://curl.se/ca/cacert.pem" to download it into your local directory.
Point to the CA file when testing SSL/TLS connections:
“openssl s_client -CAfile cacert.pem -servername <server> -connect <server>:<port>”
or
“openssl s_client -CAfile cacert.pem -connect <server>:<port>”
Replace <server>
with the server hostname or IP address and <port>
with the appropriate port number.
Then you will find the error disappears.
Experience and Tips:
Keep your system’s trust store up to date by regularly updating the root CA certificates. When encountering SSL/TLS validation issues, check if the local issuer certificate is present and trusted in the trust store. If the trust store is missing the necessary root CA certificate, download a trusted CA certificate bundle and point to it using the appropriate options or configurations in your SSL/TLS testing or application code. When doing these, it’s recommended to have appropriate permissions and follow established procedures or consult with your system administrator.
Scenarios:
If you read this post without meeting this error, here are some scenarios about where a web server needs to establish an SSL/TLS connection and may meet this error.
- Web Server Connection: The web server needs to establish an SSL/TLS connection to either
login.microsoftonline.com
orgoogle.com
. This connection is typically used for various purposes, such as retrieving data from an external API, performing authentication, or integrating with external services. - SSL/TLS Connection: The
openssl s_client
is commonly used to test SSL/TLS connections from the command line. By running theopenssl s_client
command with the appropriate parameters, such as-connect
and-servername
, you can establish a connection to a specific server (login.microsoftonline.com
orgoogle.com
) and view the SSL/TLS certificate details. “-showcerts” parameter could be used to show certs on your machine.